[Standards] SHA-1

Florian Schmaus flo at geekplace.eu
Thu Feb 23 14:36:39 UTC 2017


On 23.02.2017 15:19, Peter Waher wrote:
> Hello all.
> 
> 
> SHA-1 is used in many places throughout XMPP. Examples include
> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
> (XEP-0115), for instance. Concerning the recent report about
> vulnerabilities found in SHA-1, should there be an effort to upgrade all
> these to SHA-256 or later?

The examples you gave already come with built-in hash agility. For SCRAM
there is RFC 7677, and XEP-0115 has the 'hash' attribute.

But it may be sensible to change the mandatory hash algorithm of
XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
could also fix the existing flaws of XEP-0115 like [1], because this
would require a namespace bump anyway.

I'm curious if we have protocols without hash agility. Those would be
the ones who need the most attention.

- Florian

1:
http://markmail.org/message/mbkmaz52lgkeju6s#query:+page:1+mid:mbkmaz52lgkeju6s+state:results

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 610 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170223/928484b6/attachment.sig>


More information about the Standards mailing list